🔒 The Cyberattack Hits Sapienza University of Rome

Sapienza University of Rome, known fondly as La Sapienza, stands as Europe's largest university by student enrollment, boasting over 115,000 students and around 8,000 staff members across its sprawling 29 departments and numerous faculties. Founded in 1303, it is one of the oldest universities in the world and a cornerstone of Italian and European higher education, renowned for its contributions to medicine, engineering, humanities, and cutting-edge research. On February 2, 2026, this academic powerhouse was thrust into digital darkness when a sophisticated cyberattack crippled its entire IT infrastructure.

The incident began with intruders breaching the university's central servers, deploying ransomware that encrypted vast amounts of data. Within hours, Sapienza's administrators made the swift decision to shut down all network systems as a precautionary measure. This included the main website, email servers, workstations, and the critical Infostud platform—a comprehensive online student management system used for everything from exam registrations to tuition payments and academic record access. The outage persisted for days, with core services remaining offline well into the following week, marking one of the most disruptive cyber events in higher education history.

What makes this attack particularly alarming is its scale. With such a massive user base, the ripple effects were immediate and profound, halting routine operations and forcing a return to analog methods in an increasingly digital academic world. Initial reports suggested the attackers left a ransom note accessible via a Tor link on the dark web, complete with a 72-hour countdown timer that activates upon viewing. University officials wisely refrained from opening it to avoid triggering the deadline, opting instead for recovery without negotiation.

Immediate Disruptions for Students, Faculty, and Operations

The fallout from the Sapienza University cyberattack was felt across every layer of university life. Students, who rely heavily on Infostud for scheduling exams, checking grades, and managing enrollments, found themselves locked out at a critical time in the academic semester. Exam bookings ground to a halt, tuition verification became impossible, and access to faculty contact details vanished, severing key communication lines.

Faculty members faced similar challenges, with email restrictions limiting collaboration and workstations offline, impeding research progress and administrative tasks. Research labs, often handling sensitive data in fields like biotechnology and physics, risked delays in ongoing projects, potentially affecting grant deadlines and publications. Administrative staff scrambled to manage deadlines manually, postponing degree applications and extending flexibility for affected students.

To mitigate chaos, Sapienza established temporary 'infopoints' on campuses—physical help desks where students could seek guidance in person. Exams continued but required direct coordination with professors, bypassing digital systems entirely. This shift highlighted the vulnerabilities of over-reliance on technology but also showcased the resilience of the community.

• Infostud portal offline: No exam bookings, grade checks, or payments.
• Email and workstations partially or fully restricted: Hampered communication and productivity.
• Website down: Blocked public access to information and resources.
• Research and teaching disruptions: Potential delays in experiments and lectures.
• Deadlines extended: Applications and registrations postponed to protect student careers.

These measures provided breathing room, but the uncertainty lingered, underscoring how a single breach can paralyze an institution serving over 120,000 individuals.

Understanding the Ransomware: Femwar02 and Bablock Malware

Ransomware is malicious software that encrypts files on a victim's systems, rendering them inaccessible until a ransom—typically in cryptocurrency—is paid for the decryption key. In Sapienza's case, the attack is attributed to a previously obscure group called Femwar02, suspected to be pro-Russian based on operational patterns and language protections in the malware. They deployed Bablock, a variant akin to Rorschach ransomware first identified in 2023.

Bablock stands out for its speed and sophistication. Drawing from leaked source code of notorious strains like Babuk, LockBit 2.0, and DarkSide, it uses advanced hybrid encryption with Curve25519 algorithms and HC-128 ciphers, encrypting files in minutes. It employs evasion tactics such as direct system calls, process injection via legitimate tools like notepad.exe, and clearing event logs to dodge detection. Notably, it spares systems in Russian or post-Soviet languages, hinting at geopolitical affiliations.

Unlike traditional ransomware with public leak sites, Bablock focuses on rapid encryption without exfiltration portals, though stolen data risks dark web sales. Italian media reported the ransom demand in the millions of euros, but Sapienza's refusal to engage preserved integrity. For deeper technical insights, refer to Check Point Research on Rorschach ransomware, which details similar mechanics.

This attack exemplifies the evolution of ransomware-as-a-service (RaaS), where groups like Femwar02 sell tools to affiliates, amplifying threats to soft targets like universities rich in intellectual property.

Sapienza's Response: Swift Action and Collaborative Recovery

Sapienza's leadership responded decisively, notifying Italy's Agenzia per la Cybersicurezza Nazionale (ACN), the national Computer Security Incident Response Team (CSIRT), and Polizia Postale immediately. A technical task force was assembled to assess the breach scope, confirm backup integrity, and orchestrate restoration.

Key steps included:

• Immediate network shutdown to contain spread and protect data.
• Verification of unaffected backups for phased restoration.
• Collaboration with authorities for forensic analysis.
• Communication via Instagram (@sapienzaroma), providing real-time updates on progress.
• Setup of campus infopoints and professor-direct exam protocols.

By early February, partial services like some emails returned, with full Infostud recovery pending rigorous security tests. This no-ransom stance aligns with global recommendations, avoiding funding criminals. The university's preparedness—evident in clean backups—exemplifies effective incident response planning.

📊 Cyber Threats in Higher Education: A Growing Epidemic

Higher education institutions are prime ransomware targets due to expansive networks, valuable research data, and often underfunded IT security. In 2025, the sector faced thousands of weekly attacks, with 79% of universities reporting incidents. The U.S. alone saw 130 education ransomware events, while Europe grapples with rising state-affiliated threats.

Sapienza joins a grim list: Eindhoven University (2025 breach disrupted classes), University of Manchester (data leak), and countless others. Statistics reveal education suffers 4,388 attacks weekly on average, a 31% year-over-year surge. Attackers covet personal data for identity theft, research for IP theft, and disruption for leverage.

These trends demand urgent sector-wide vigilance. For more on recent threats, see coverage from Times Higher Education.

🎯 Best Practices to Shield Universities from Ransomware

Preventing attacks like Sapienza's requires layered defenses. Institutions should prioritize:

• Multi-Factor Authentication (MFA): Enforce across all accounts to block credential stuffing.
• Regular Backups: Follow 3-2-1 rule (3 copies, 2 media, 1 offsite/air-gapped).
• Employee Training: Phishing simulations to combat 90% of breaches starting via email.
• Endpoint Detection: Advanced tools for real-time threat hunting.
• Network Segmentation: Isolate critical systems to limit lateral movement.
• Patch Management: Update vulnerabilities promptly, as many exploits target known flaws.

Proactive measures like zero-trust architecture and AI-driven monitoring can transform vulnerabilities into strengths. Universities exploring cybersecurity careers might check higher-ed jobs in IT security roles.

Photo by Growtika on Unsplash

Future Implications for European Higher Education

The Sapienza cyberattack signals escalating risks for Europe's universities, especially amid geopolitical tensions fueling pro-Russian operations. It prompts calls for EU-wide standards, enhanced funding, and shared threat intelligence via frameworks like ENISA.

Positive outcomes emerge: heightened awareness drives investments, with institutions adopting resilient architectures. For academics navigating disruptions, platforms like Rate My Professor offer ways to share experiences and find reliable instructors. Job seekers in resilient higher ed can explore university jobs or higher ed career advice.

In summary, while the outage tested Sapienza's mettle, its response sets a benchmark. Share your thoughts in the comments, and stay vigilant in our digital academic landscape.